How to restrict GraphQL endpoint on Publish side with users unknown

Question

Hi all,

I have gone through all the forum posts, and documentation related to Authentication, CUG and all related to GraphQL Endpoint. But my case here is, is it possible for restricting the users to be able to access only a certain GraphQL endpoint and not any other one.? Here the situation is, we are unsure of the users and the application is facing public users(means no login for the system to establish a CUG based on the users). Or would that make sense by restricting the system itself ? Not sure if this works, but open to your thoughts. By the way, we are on AEC.

Thanks,
Arvind

arvindk091986 · Accepted Answer

@kautuk_sahni - here you go with the details.

For establishing authentication on Publish end where we will expose data to the systems, when the systems hit the GraphQL end point. Below mentioned are the steps involved, sequentially as-is, for CUG Implementation.

1. Create a custom folder under "/content/dam", and can create any sample content fragments under that folder.

2. Create a custom user group local to AEM instance, push it through repo-init config, on Author and Publish. We have only Author repo-init configuration in the beginning. So, for this need, we added a repo-init config for Publish as well.
Example code for both Author and Publish:
create group <custom_group> with path /home/groups/xyz/

3. Apply permissions to this custom group only on Publish side, so it has access to custom folder that holds the CF data for that respective need. Example code:

set ACL for <custom_group>
remove * on /content/dam/<custom_folder>
##Permissions for <custom_group> group
allow jcr:all on /content/dam/<custom_folder>
allow jcr:all on /conf/<cf_model_config_folder>
allow jcr:all on /content/cq:graphql/<endpoint>
end

4. Remove read permissions from everyone group, for that respective custom folder so it doesn’t expose that data to “everyone” through GraphQL. Example:

set ACL for everyone
remove * on /content/dam/<custom_folder> 
##Deny Rules of everyone
deny jcr:all on /content/dam/<custom_folder>
end

5. Add the above sample code from Step 2-4 in repoinit config on Publish side, where all the restriction is needed.

6. Create a technical service user account from AdminConsole for the respective environment.

7. This will now show up in AEM Author Users console. Add the custom group that was created through repo-init to the user and Publish the User.

8. Now generate an Access Token or JWT-Token for hitting the GraphQL endpoint to validate the authentication.

9. User the generated Access Token in the above step to establish authentication via Postman of type “Bearer token” and we should see a response.

somen-sarkar · Answer

Hi Arvind,GraphQL endpoit can be restricted so that it can be accessed by only legitimate users. First you deny access to that particular endpoint for all and then then enable the access for a particular user.  Assuming you are consuming the headless content by another application . You will not be able to access the endpoint anonymously now on. You need to pass configured user authentication details to access the endpoint. Hope this helps. Thanks,Somen

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded